Data security method and device for computer modules

ABSTRACT

A security method for an attached computer module in a computer system. The security method reads a security identification number in an attached computer module and compares it to a security identification number in a console, which houses the attached computer module. Based upon a relationship between these numbers, a security status is selected. The security status determines the security level of operating the computer system.

Notice: More than one reissue application has been filed for the reissueof U.S. Pat. No. 6,643,777. The reissue applications are U.S.application Ser. No. 11/056,604 (a parent reissue application), Ser. No.11/545,056 (which is a reissue continuation of the parent reissueapplication), Ser. No. 12/561,138 (which is a reissue continuation ofthe parent reissue application), Ser. No. 13/294,108 (which is a reissuecontinuation of U.S. application Ser. No. 12/561,138), and Ser. No.13/562,210 (the present application, which is a reissue continuation ofU.S. application Ser. No. 13/294,108).

This application is a reissue continuation of U.S. application Ser. No.13/294,108, which is a reissue continuation of U.S. application Ser. No.12/561,138, which is a reissue continuation of U.S. application Ser. No.11/056,604, which is a reissue of U.S. Pat. No. 6,643,777, which areincorporated herein by reference.

BACKGROUND OF THE INVENTION

The present invention relates to computing devices. More particularly,the present invention provides a method and device for securing apersonal computer or set-top box. Merely by way of example, the presentinvention is applied to a modular computing environment for desk topcomputers, but it will be recognized that the invention has a much widerrange of applicability. It can be applied to other portable or modularcomputing applications.

Many desktop or personal computers, which are commonly termed PCs, havebeen around and used for over ten years. The PCs often come withstate-of-art microprocessors such as the Intel Pentium™ microprocessorchips. They also include a hard or fixed disk drive including memory inthe giga-byte range. Additionally, the PCs often include a random accessmemory integrated circuit device such as a dynamic random access memorydevice, which is commonly termed DRAM. The DRAM devices now provide upto millions of memory cells (i.e., mega-bit) on a single slice ofsilicon. PCs also include a high resolution display such as cathode raytubes or CRTs. In most cases, the CRTs are at least 15 inches or 17inches or 19 inches in diameter. High resolution flat panel displays arealso used with PCs.

Many external or peripheral devices can be used with the PCs. Amongothers, these peripheral devices include mass storage devices such as aZip™ Drive product sold by Iomega Corporation of Utah. Other storagedevices include external hard drives, tape drives, and others.Additional devices include communication devices such as a modem, whichcan be used to link the PC to a wide area network of computers such asthe Internet. Furthermore, the PC can include output devices such as aprinter and other output means. Moreover, the PC can include specialaudio output devices such as speakers the like.

PCs also have easy to use keyboards, mouse input devices, and the like.The keyboard is generally configured similar to a typewriter format. Thekeyboard also has the length and width for easily inputting informationby way of keys to the computer. The mouse also has a sufficient size andshape to easily move a cursor on the display from one location toanother location.

Other types of computing devices include portable computing devices suchas “laptop” computers and the like. Although somewhat successful, laptopcomputers have many limitations. These computing devices have expensivedisplay technology. In fact, these devices often have a smaller flatpanel display that has poor viewing characteristics. Additionally, thesedevices also have poor input devices such as smaller keyboards and thelike. Furthermore, these devices have limited common platforms totransfer information to and from these devices and other devices such asPCs.

Up to now, there has been little common ground between these platformsincluding the PCs and laptops in terms of upgrading, ease-of-use, cost,performance, and the like. Many differences between these platforms,probably somewhat intentional, has benefited computer manufacturers atthe cost of consumers. A drawback to having two separate computers isthat the user must often purchase both the desktop and laptop to have“total” computing power, where the desktop serves as a “regular”computer and the laptop serves as a “portable” computer. Purchasing bothcomputers is often costly and runs “thousands” of dollars. The user alsowastes a significant amount of time transferring software and databetween the two types of computers. For example, the user must oftencouple the portable computer to a local area network (i.e., LAN), to aserial port with a modem and then manually transfer over files and databetween the desktop and the portable computer. Alternatively, the useroften must use floppy disks to “zip” up files and programs that exceedthe storage capacity of conventional floppy disks, and transfer thefloppy disk data manually.

Another drawback with the current model of separate portable and desktopcomputer is that the user has to spend money to buy components andperipherals the are duplicated in at least one of these computers. Forexample, both the desktop and portable computers typically include harddisk drives, floppy drives, CD-ROMs, computer memory, host processors,graphics accelerators, and the like. Because program software andsupporting programs generally must be installed upon both hard drives inorder for the user to operate programs on the road and in the office,hard disk space is often wasted.

One approach to reduce some of these drawbacks has been the use of adocking station with a portable computer. Here, the user has theportable computer for “on the road” use and a docking station thathouses the portable computer for office use. The docking stationtypically includes a separate monitor, keyboard, mouse, and the like andis generally incompatible with other desktop PCs. The docking station isalso generally not compatible with portable computers of other vendors.Another drawback to this approach is that the portable computertypically has lower performance and functionality than a conventionaldesktop PC. For example, the processor of the portable is typically muchslower than processors in dedicated desktop computers, because of powerconsumption and heat dissipation concerns. As an example, it is notedthat at the time of drafting of the present application, sometop-of-the-line desktops include 400 MHz processors, whereastop-of-the-line notebook computers include 266 MHz processors.

Another drawback to the docking station approach is that the typicalcost of portable computers with docking stations can approach the costof having a separate portable computer and a separate desktop computer.Further, as noted above, because different vendors of portable computershave proprietary docking stations, computer users are held captive bytheir investments and must rely upon the particular computer vendor forfuture upgrades, support, and the like.

To date, most personal computers provide data file security throughsoftware only. A wide variety of removable storage media are availablefor a personal computer. These removable media do not provide any accesssecurity protection in hardware. Data encryption program often must beused for protection. Such program is cumbersome to handle for the userrequiring extra cost and time. Data encryption is more commonly used forcommunication over an unprotected network or the Internet. Having alarge number of frequently used files managed by encryption software isnot practical. Without software security program, any file can be readand copied illegally from a hard disk drive on a PC or any removablemedia.

PC architecture generally allows freedom of data flow between memory andperipheral devices within the allowed memory and I/O address spaces. Inconventional PC architecture, a peripheral bus, i.e. PCI bus, is used tocontrol all data transactions among peripheral devices. PCI bus allowsany device to be a bus master and perform data transaction with anotherdevice. Also when a software program is in control, it can move databetween any two devices. There is no hardware or protocol securitymechanism on a standard peripheral bus such as PCI Bus to detect orblock data transactions. Operating system may have individual files reador write protected. These types of special security feature requiresignificant additional user interaction to control. This is toocumbersome for a typical user to manage. There is no mechanism incurrent PCs to allow access to the primary hard disk drive and yetprevent copying of its content. The conventional PC is a single machinethat does not have a mechanism to perform security ID matching inhardware.

Thus, what is needed are computer systems that provide improved securityfeatures to prevent illegal or unauthorized access to information.

SUMMARY OF THE INVENTION

According to the present invention, a technique including a method anddevice for securing a computer module in a computer system is provided.In an exemplary embodiment, the present invention provides a securitysystem for an attached computer module (“ACM”). In an embodiment, theACM inserts into a computer module bay (CMB) within a peripheral consoleto form a functional computer. A security program reads anidentification number in a security memory device to determine asecurity level of the ACM according to one embodiment.

In a specific embodiment, the present invention provides a system forsecured information transactions. The system has a console (e.g.,computer housing) comprising a peripheral controller housed in theconsole; and a security memory device (e.g., flash memory device)coupled to the peripheral controller. The system also has an attachedcomputer module (i.e., a removable module with memory andmicroprocessor) coupled to the console. The attached computer module hasa host interface controller housed within the attached computer moduleto interface to the security memory device through the peripheralcontroller.

In an alternative embodiment, the present invention provides a securityprotection method for a computer module. The method includes steps oracts of inserting the computer module into a console. Once the modulehas been inserted, the method initiates a security program in the moduleto read a security identification of the console and to read a securityidentification of the computer module. Based upon a relationship of theconsole identification and the computer module identification, apredetermined security status is determined from, for example, a look uptable or the like. The method then selects the predetermined securitystatus, which can be one of many. The method then operates the computermodule based upon the security status.

In a further alternative embodiment, the present invention provides amethod for identifying a user for a computer module. The method includesinserting a computer module into a console; and initiating a securityprogram in memory of the computer module. The method prompts a pluralityof input fields corresponding to respective input information on a userinterface to be provided by a user of the computer module. Next, themethod inputs the input information into the user interface of thecomputer module. The input information includes a user (e.g., owner)name, a user (e.g., owner) password, a business name, a businesspassword, and a location.

Still further, the present invention provides a system for securedinformation transactions, e.g., data security, electronic commerce,private communications. The system includes a console comprising aperipheral controller housed in the console. A user identification inputdevice (e.g., keyboard, retinal reader, finger print reader, voicerecognition unit) is coupled to the peripheral controller. The useridentification input device is provided for user identification data ofthe user. The system has an attached computer module coupled to theconsole. The attached computer module has a security memory device(e.g., flash memory device) stored with the user identification data.

Numerous benefits are achieved using the present invention overpreviously existing techniques. The present invention providesmechanical and electrical security systems to prevent theft orunauthorized use of the computer system in a specific embodiment.Additionally, the present invention substantially prevents accidentalremoval of the ACM from the console. In some embodiments, the presentinvention prevents illegal or unauthorized use during transit. Thepresent invention is also implemented using conventional technologiesthat can be provided in the present computer system in an easy andefficient manner. Depending upon the embodiment, one or more of thesebenefits can be available. These and other advantages or benefits aredescribed throughout the present specification and are described moreparticularly below.

These and other embodiments of the present invention, as well as itsadvantages and features, are described in more detail in conjunctionwith the text below and attached FIGS.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified diagram of a computer system according to anembodiment of the present invention;

FIG. 2 is a simplified diagram of a computer module according to anembodiment of the present invention;

FIG. 3 is a simplified top-view diagram of a computer module accordingto an embodiment of the present invention;

FIG. 4 is a simplified illustration of security systems according toembodiments of the present invention;

FIG. 5 is a simplified diagram of a computer module in a consoleaccording to an embodiment of the present invention;

FIG. 6 is a simplified diagram of a security method for a moduleaccording to an embodiment of the present invention; and

FIG. 7 is a simplified diagram of a method according to an embodiment ofthe present invention.

FIG. 8 is a simplified diagram of a system 800 according to analternative embodiment of the present application.

FIG. 9 depicts a peripheral console configuration.

FIG. 10 is a block diagram of one embodiment of a computer systememploying the present invention.

FIG. 11 is a block diagram of an attached computing module (ACM).

FIG. 12 is a block diagram of a peripheral console (PCON).

FIG. 13 is a block diagram of one embodiment of a computer system usingthe interface of the present invention.

FIG. 14 is a detailed block diagram of one embodiment of the hostinterface controller of the present invention.

FIG. 15 is a detailed block diagram of one embodiment of the PIC of thepresent invention.

FIG. 16 is a schematic diagram of the signal lines PCK, PD0 to PD3, andPCN.

FIG. 17 is a partial block diagram of a computer system using theinterface of the present invention as a bridge between the north andsouth bridges of the computer system.

FIG. 18 is a partial block diagram of a computer system in which thenorth and south bridges are integrated with the host and peripheralinterface controllers, respectively.

FIG. 19 shows an attached computer module with IntegratedCPU/NB/Graphics and Integrated HIC/SB.

FIG. 20 shows an attached computer module with single chip fullyintegrated: CPU, Cache, Core Logic, Graphics controller and Interfacecontroller.

FIGS. 21 and 22 are tables including the pin number, symbol, signal,standard and description for the pins on the peripheral and videoconnectors, respectively.

FIG. 23 is a table showing the symbols, signals, data rate anddescription of signals in a first embodiment of the XPBus.

FIG. 24 is a table showing different types of first nibbles and theircorresponding data packet types.

DESCRIPTION OF THE SPECIFIC EMBODIMENTS

FIG. 1 is a simplified diagram of a computer system 1 according to anembodiment of the present invention. This diagram is merely anillustration and should not limit the scope of the claims herein. One ofordinary skill in the art would recognize other variations,modifications, and alternatives. The computer system 1 includes anattached computer module (i.e., ACM) 10, a desktop console 20, amongother elements. The computer system is modular and has a variety ofcomponents that are removable. Some of these components (or modules) canbe used in different computers, workstations, computerized televisionsets, and portable or laptop units.

In the present embodiment, ACM 10 includes computer components, as willbe described below, including a central processing unit (“CPU”), IDEcontroller, hard disk drive, computer memory, and the like. The computermodule bay (i.e., CMB) 40 is an opening or slot in the desktop console.The CMB houses the ACM and provides communication to and from the ACM.The CMB also provides mechanical protection and support to ACM 10. TheCMB has a mechanical alignment mechanism for mating a portion of the ACMto the console. The CMB further has thermal heat dissipation sinks,electrical connection mechanisms, and the like. Some details of the ACMcan be found in co-pending U.S. patent application Ser. Nos. 09/149,882and 09/149,548 filed Sep. 8, 1998 commonly assigned, and herebyincorporated by reference for all purposes.

In a preferred embodiment, the present system has a security system,which includes a mechanical locking system, an electrical lockingsystem, and others. The mechanical locking system includes at least akey 11. The key 11 mates with key hole 13 in a lock, which provides amechanical latch 15 in a closed position. The mechanical latch, in theclosed position, mates and interlocks the ACM to the computer modulebay. The mechanical latch, which also has an open position, allows theACM to be removed from the computer module bay. Further details of themechanical locking system are shown in the FIG. below.

FIG. 2 is a simplified diagram of a computer module 10 according to anembodiment of the present invention. This diagram is merely anillustration and should not limit the scope of the claims herein. One ofordinary skill in the art would recognize other variations,modifications, and alternatives. Some of the reference numerals aresimilar to the previous FIG. for easy reading. The computer module 10includes key 11, which is insertable into keyhole 13 of the lock. Thelock has at least two position, including a latched or closed positionand an unlatched or open position. The latched position secures the ACMto the computer module bay. The unlatched or open position allows theACM to be inserted into or removed from the computer bay module. Asshown, the ACM also has a slot or opening 14, which allows the latch tomove into and out of the ACM. The ACM also has openings 17 in thebackside for an electrical and/or mechanical connection to the computermodule bay, which is connected to the console.

FIG. 3 is a simplified top-view diagram 10 of a computer module forcomputer system according to an embodiment of the present invention.This diagram is merely an illustration and should not limit the scope ofthe claims herein. One of ordinary skill in the art would recognizeother variations, modifications, and alternatives. The layout diagramillustrates the top-view of the module 10, where the backside components(e.g., Host Interface Controller) are depicted in dashed lines. Thelayout diagram has a first portion, which includes a central processingunit (“CPU”) module 400, and a second portion, which includes a harddrive module 420. A common printed circuit board 437 houses thesemodules and the like. Among other features, the ACM includes the centralprocessing unit module 400 with a cache memory 405, which is coupled toa north bridge unit 421, and a host interface controller 401. The hostinterface controller includes a lock control 403. As shown, the CPUmodule is disposed on a first portion of the attached computer module,and couples to connectors 17. Here, the CPU module is spatially locatednear connector 17.

The CPU module can use a suitable microprocessing unit, microcontroller,digital signal processor, and the like. In a specific embodiment, theCPU module uses, for example, a 400 MHz Pentium II microprocessor modulefrom Intel Corporation and like microprocessors from AMD Corporation,Cyrix Corporation (now National Semiconductor Corporation), and others.In other aspects, the microprocessor can be one such as the CompaqComputer Corporation Alpha Chip, Apple Computer Corporation PowerPC G3processor, and the like. Further, higher speed processors arecontemplated in other embodiments as technology increases in the future.

In the CPU module, host interface controller 401 is coupled toBIOS/flash memory 405. Additionally, the host interface controller iscoupled to a clock control logic, a configuration signal, and aperipheral bus. The present invention has a host interface controllerthat has lock control 403 to provide security features to the presentACM. Furthermore, the present invention uses a flash memory thatincludes codes to provide password protection or other electronicsecurity methods.

The second portion of the attached computer module has the hard drivemodule 420. Among other elements, the hard drive module includes northbridge 421, graphics accelerator 423, graphics memory 425, a powercontroller 427, an IDE controller 429, and other components. Adjacent toand in parallel alignment with the hard drive module is a personalcomputer interface (“PCI”) bus 431, 432. A power regulator 435 isdisposed near the PCI bus.

In a specific embodiment, north bridge unit 421 often couples to acomputer memory, to the graphics accelerator 423, to the IDE controller,and to the host interface controller via the PCI bus. Graphicsaccelerator 423 typically couples to a graphics memory 423, and otherelements. IDE controller 429 generally supports and provides timingsignals necessary for the IDE bus. In the present embodiment, the IDEcontroller is embodied as a 643U2 PCI-to IDE chip from CMD Technology,for example. Other types of buses than IDE are contemplated, for exampleEIDE, SCSI, USB, and the like in alternative embodiments of the presentinvention.

The hard drive module or mass storage unit 420 typically includes acomputer operating system, application software program files, datafiles, and the like. In a specific embodiment, the computer operatingsystem may be the Windows98 operating system from Microsoft Corporationof Redmond Washington. Other operating systems, such as WindowsNT,MacOS8, Unix, and the like are also contemplated in alternativeembodiments of the present invention. Further, some typical applicationsoftware programs can include Office98 by Microsoft Corporation, CorelPerfect Suite by Corel, and others. Hard disk module 420 includes a harddisk drive. The hard disk drive, however, can also be replaced byremovable hard disk drives, read/write CD ROMs, flash memory, floppydisk drives, and the like. A small form factor, for example 2.5″, iscurrently contemplated, however, other form factors, such as PC card,and the like are also contemplated. Mass storage unit 240 may alsosupport other interfaces than IDE.

In a specific embodiment, the present invention provides a file and dataprotection security system and method for a removable computer module orACM. ACM contains the primary hard disk drive (HDD) where the operatingsystem, application programs, and data files reside. The security systemis used to prevent illegal access and copying of any file residing onthe HDD inside ACM. An ACM is a self-contained computing device that canbe armed with security software and hardware to protect its owner'sprivate files and data. ACM docks with a computer bay in a wide varietyof peripheral consoles. The combined ACM and peripheral console functionas a personal computer. A computer module interface bus connects ACM andperipheral device. In some embodiments, all ACM data passes throughcomputer module interface (CMI) bus to reach any device in theperipheral console, i.e. floppy drive, removable media, secondary harddisk drive, modem, and others. CMI bus data transfer is controlled by apair of interface controllers on either side of the bus. Thispartitioning of a personal computer offer a way of protecting againstillegal access of data residing within ACM by guarding data transactionthrough the computer module interface bus.

In a specific embodiment, a secured ACM has an enclosure that includesthe following components:

-   -   1) ACPU,    -   2) Main memory,    -   3) A primary Hard Disk Drive (HDD),    -   4) Operating System, application software, data files on primary        HDD,    -   5) Interface circuitry and connectors to peripheral console,    -   6) Flash memory used for storing security code and ID,    -   7) Data detection and control circuitry to manage data flow to        peripheral console,    -   8) Circuit board connecting the above components, and others.

A peripheral console includes some of the following elements:

-   -   1) Input means, e.g. keyboard and mouse,    -   2) Display means, e.g. CRT monitor, or integrated LCD display,    -   3) Removable storage media subsystem, e.g. Floppy drive, CDROM        drive,    -   4) Communication device, e.g. LAN or modem,    -   5) Computer Module Bay, interface device and connectors to ACM,    -   6) Flash memory with security ID,    -   7) Power supply or battery system, and other devices.

The Computer Module Bay (CMB) is an opening in a peripheral console thatreceives ACM. CMB provides mechanical protection and electricalconnection to ACM. The Computer Module Interface bus is made up of 3 buscomponents: video bus, peripheral data bus, and power bus. Video Busconsists of video output of graphics devices, i.e. analog RGB andcontrol signals for monitor, or digital video signals to drive flatpanel displays. Power bus supplies the power for ACM. Peripheral databus is a high speed, compressed, peripheral bridge bus managed by a HostInterface Controller in ACM and a peripheral Interface Controller inperipheral console. In some embodiments, all peripheral data transactionpasses through the interface controllers.

The implementation of the secured ACM generally includes the followingelements:

-   -   1) A programmable Flash memory controlled by the Peripheral        Interface Controller containing the security ID for the        peripheral console,    -   2) A programmable Flash memory controlled by the Host Interface        Controller containing hardware specific security code and ID for        the computer module,    -   3) A data detection and control circuitry within Host Interface        Controller to detect and manage data going out of ACM, and    -   4) A low level hardware dependent security code to perform        security ID matching, hardware programming to manage data flow,    -   5) A high-level security program to manage user interface,        program security ID, program security level, and other        functions.

The hardware and software implementation allow more flexibility in thelevel of security protection offered to an ACM owner. Some examples ofsecurity levels are:

-   -   1) No access—Security IDs do not match according to owner's        requirement. The Host Interface Controller blocks all peripheral        data traffic between ACM and peripheral console except for        keyboard and mouse,    -   2) Peripheral Read-only—No files can be written to any        peripheral devices. All peripheral devices in peripheral console        are managed as Read-only devices. The primary hard disk drive in        ACM can be accessed freely,    -   3) Limited access—Certain peripheral devices are allowed        read/write access, i.e. modem, and other devices are Read-only,        i.e. removable media devices,    -   4) Full access—No restriction, and others.

Upon power up, the low level security code is executed to comparesecurity ID between the respective flash memory between ACM andperipheral console. Typical security ID can include:

-   -   1) User ID    -   2) User password    -   3) User Access privilege    -   4) Business ID    -   5) Business password    -   6) Equipment ID    -   7) Equipment access privilege, and any other security IDs.

The user through the security program can activate different levels ofpassword protection, which can be stored in a look up table. The companythrough the security program can control different levels of accessprivilege of a user, a business group, or equipment. The security codethen program the security level allowed by the access privilegedetermined by the security ID matching result. For example, if anunidentified peripheral console is detected upon power up by the lowlevel security code, e.g. a home unit, the access privilege can set toPeripheral Read-only. With Read-only access privilege for all peripheraldevices in peripheral console, the data detection and control circuitryis programmed to monitor all data traffic going to the peripheralconsole. Any memory block transfer to peripheral console will bedetected and blocked. Under this mode, a user can use the computer withfree access to the primary HDD in ACM. Any files can be read from otherstorage media in the peripheral console. But no files from the primaryHDD can be copied to another media.

The data detection circuitry separately monitors peripheral busoperation type and memory address range being accessed. A specificaddress range for memory accesses and for I/O accesses can be programmedfor the data detection circuitry to flag a match. A data blockingcircuitry is triggered by the detection circuitry when a match occurs,and blank out the data that is being sent to the peripheral console. Forthe security system to be effective, a temper tamper resistant enclosuremust be used to prevent removal of the hard disk drive and the flashmemory inside ACM. Further details are shown throughout the presentspecification and more particularly below.

FIG. 4 is a simplified illustration of security systems 300 according toembodiments of the present invention. This illustration is merely anexample, which should not limit the scope of the claims herein. One ofordinary skill in the art would recognize other variations,modifications, and alternatives. The systems show various examples ofways to implement the present invention. Here, a user relies uponcertain consoles to access information. A company's shared portableconsole 325 can access general company information 303. Selectedsecurity identification information 315 is entered into the sharedconsole to access the information via a network. The informationgenerally includes owner, owner password, business, business password,console type, location, and access privilege information, which isdisplayed on a user display. The owner is generally the user name. Ownerpassword is the user password. The business is the business unit nameand business password is the business unit password. The console typecan be portable for laptops, notebooks, and the like. Alternatively, theconsole type can be a desktop. The location generally specifies thedesktop location or address for a networked system. Alternatively, thelocation can also be a home location. Access privilege can becategorized into many different levels. For example, the user can accessgeneral company information, but not information directed to otherbusiness units. The user can also be limited to access his/her privateinformation, which is company related. Many other types of informationcan be restricted or accessed depending upon the embodiment.

Other types of access can be granted depending upon the consoles. Forexample, various consoles include, among others, a console at a user'shome, e.g., “John Doe's,” a console in the user's office 329, a consolein a co-worker's office 331, which the user can access. The access fromJohn Doe's home console uses security identification 317 and providesrestricted access 305. The user's use of the module 307 can be from avariety of consoles and is accessed using security identification 319.Here, access privilege is private, which allows the user to accessprivate personal information or private company information that theuser has created. The user's access from his office relies upon securityidentification 321, which grants access to private information andgeneral company information. The co-worker's console can also be usedwith security identification 323, which allows the user to accessgeneral company information but not private information of John Doe, forexample. Depending upon the console used by the user, the securitysystem can provide partial or full access to information on servers vianetwork as well as an attached computer module. Information can also belimited to read only for certain information sources such as a server, ahard drive, a floppy drive, and others.

In a specific embodiment, the present invention also provides a securityfeature for the ACM 307. Here, the user of the ACM can be granted accessto information in the ACM if the correct security identificationinformation 319 is provided to the combination of ACM and console. Oncethe correct information is provided, the user can access the informationon the hard drive of the ACM, which can be for private use. Other levelsof access and security can also be provided depending upon theapplication.

FIG. 5 is a simplified diagram 500 of a computer module in a consoleaccording to an embodiment of the present invention. This diagram ismerely an illustration which should not limit the scope of the claimsherein. One of ordinary skill in the art would recognize othervariations, modifications, and alternatives. The block diagram 500includes an attached computer module 501 and a peripheral console 503,as well as other elements as desired. These elements have a variety offeatures such as those noted above, as well as others. In the presentdiagram, different reference numerals are used to show the operation ofthe present system.

The block diagram 500 illustrates attached computer module 501. Themodule 501 has a central processing unit 502, which communicates to anorth bridge 541, by way of a CPU bus 527. The north bridge couples tomain memory 523 via memory bus 529. The main memory can be any suitablehigh speed memory device or devices such as dynamic random access memory(“DRAM”) integrated circuits and others. The DRAM includes at least 32Meg. or 64 Meg. and greater of memory, but can also be less dependingupon the application. Alternatively, the main memory can be coupleddirectly with the CPU in some embodiments. The north bridge also couplesto a graphics subsystem 515 via bus 542. The graphics subsystem caninclude a graphics accelerator, graphics memory, and other devices.Graphics subsystem transmits a video signal to an interface connector,which couples to a display, for example.

The attached computer module also includes a primary hard disk drive 509that serves as a main memory unit for programs and the like. The harddisk can be any suitable drive that has at least 2 GB and greater. Asmerely an example, the hard disk is a Marathon 2250 (2.25 GB, 2½ inchdrive) product made by Seagate Corporation of Scotts Valley, but can beothers. The hard disk communicates to the north bridge by way of a harddisk drive controller and bus lines 502 and 531. The hard disk drivecontroller couples to the north bridge by way of the host PCI bus 531,which connects bus 537 to the north bridge. The hard disk includescomputer codes that implement a security program according to thepresent invention. Details of the security program are provided below.

The attached computer module also has a flash memory device 505 with aBIOS. The flash memory device 505 also has codes for a user passwordthat can be stored in the device. The flash memory device generallypermits the storage of such password without a substantial use of power,even when disconnected. As merely an example, the flash memory devicehas at least 512 kilobits or greater of memory, or 1 megabits or greaterof memory. The flash memory device can store a security identificationnumber or the like. The flash memory device is generally non-volatileand can preserve information even when the power is turned off, forexample. The flash memory generally has at least 128 kilobits storagecells or more. The flash memory can be any product such as a W29C020product made by a company called Winbond of Taiwan, but can also beothers. The flash memory cell and user identification will be more fullydescribed below in reference to the FIGS. A host interface controller507 communications to the north bridge via bus 535 and host PCI bus. Thehost interface controller also has a data control 511. Host interfacecontroller 507 communicates to the console using bus 513, which couplesto connection 515.

Peripheral console 503 includes a variety of elements to interface tothe module 501, display 551, and network 553. The console forms aroundsouth bridge 571, which couples to bus 563, which couples to bus 561.Bus 561 is in communication with network card 555, which is a local areanetwork for Ethernet, for example. South bridge also couples throughcontrol 569 to peripheral interface controller 567, which alsocommunicates to bus 561. Peripheral interface controller also couples tohost interface controller through connection 515 and bus 513. Theperipheral console has a primary removable drive 559 connected to southbridge through bus 575. South bridge also couples to secondary hard diskthrough bus 577.

In a specific embodiment, the peripheral console also has a serialEEPROM memory device 575, which is coupled to the peripheral interfacecontroller. The memory device can store a security identification numberor the like. The memory device is generally non-volatile and canpreserve information even when the power is turned off, for example. Thememory generally has at least 16 kilobits of storage cells or more.Preferably, the memory device is a 16 kilobit device or 64 megabitdevice or greater, depending upon the application. The memory can be anyproduct such as a X24320 product made by a company called Xicor, but canalso be others. The memory cell and user identification will be morefully described below in reference to the FIGS.

FIG. 6 is a simplified diagram of a security method 600 for a moduleaccording to an embodiment of the present invention. This diagram ismerely an illustration which should not limit the scope of the claimsherein. One of ordinary skill in the art would recognize othervariations, modifications, and alternatives. The present method shows anexample of how the present security method can be implemented. Thepresent method uses a combination of software 601 and hardware 603,which is in the computer module. A plurality of external devices can beaccessed depending upon the embodiment. These external devices include asecondary hard drive 618, a removable drive 619, a network (e.g., LAN,modem) device 621, and others. A keyboard 623 is also shown, which canact locally.

The software 601 includes an operating system 609, application programs607, and a data security and initialization program 605. Other programscan also exist. Additionally, some of these programs may not exist.Preferably, the data security and initialization program exists. Thisdata security and initialization program is initiated once the attachedcomputer module is inserted into the console. The program interface andoversees a variety of hardware features, which will be used to controlaccess to the external devices, for example. Of course, the particularconfiguration of the software will depend upon the application.

Hardware features can be implemented using a primary hard disk 611coupled to a CPU/cache combination, which includes a main memory. Themain memory is often a volatile memory such as dynamic random accessmemory. Data from any one of the external devices can enter theCPU/cache combination. For example, the secondary hard disk memory andI/O address range data is transferred 624 to the CPU/cache combination.The removable drive memory and I/O address range data can also transfer625 to the CPU/cache combination. The LAN memory and 1/0 address rangedata can also transfer 626 to the CPU/cache combination. Keyboard datacan also transfer 627 to the CPU/cache combination. To write data fromthe module into any one of these external elements, the data securityprogram interfaces with the data detection and control circuit todetermine of such data should be transferred to any one of the externalelements. As noted, the external elements include, among others,secondary hard disk, and removable drive. Here, the data securityprogram checks the security identification number with other numbers todetermine the security access level. There are many other ways that thepresent invention can be implemented. These methods are described morefully below.

FIG. 7 is a simplified diagram 700 of a method according to anembodiment of the present invention. This diagram is merely anillustration which should not limit the scope of the claims herein. Oneof ordinary skill in the art would recognize other variations,modifications, and alternatives. The present method begins at power up,which is step 701. The present method reads a security code, which hasbeen entered by a user, for example, in step 703. The security code canbe a string of characters, including numbers and letters. The securitycode is preferably a mixture of numbers and letters, which are at leastabout 6 characters in length, but is not limited.

The present method reads (step 703) the security code, which has beenentered. Next, the security code is compared with a stored code, whichis in flash memory or the like (step 705). If the compared code matcheswith the stored code, the method resumes to step 708. Alternatively, themethod goes to step 707 via branch 706 where no access is granted. Whenno access is granted, all data are blocked out from the user thatattempts to log onto the system. Alternatively, the method determines ifa certain level of access is granted, step 708. Depending upon theembodiment, the present method can grant full access, step 710, viabranch 716. The present method allows full access based upon informationstored in the flash memory device. Alternatively, the method can allowthe user to access a limited amount of information.

Here, the present method allows for at least one or more than two levelsof access. In a specific embodiment, the present method allows for theuser of the module to access peripheral storage (step 711). The accessprivilege is read-only. The user can read information on the peripheralstorage including hard disks and the like. Once the user accesses thestorage, the method data control , step 719, takes over, where thehardware prevents the user from accessing other information, step 721.In a specific embodiment, the method can allow information to be removedfrom the peripheral storage. If the method allows for data to beremoved, step 723, the method goes through branch 731 to let data out,which can occur through the module. Alternatively, the method goes toblock data (step 725) via branch 733. Depending upon the embodiment, themethod returns to the decision block, step 723. Alternatively, themethod traverses branch 714 to a peripheral read-only process, step 712.The read-only process programs data control, step 713. Next, thehardware takes over (step 715). The method blocks all data from beingaccessed by the user, step 717.

FIG. 8 is a simplified diagram of a system 800 according to analternative embodiment of the present invention. This diagram is merelyan example which should not limit the scope of the claims herein. One ofordinary skill in the art would recognize many other variations,modifications, and alternatives. The system 800 includes an attachedcomputer module 801, which can be inserted into one of a plurality ofconsole devices to create a “plug and play” operation. For example, theconsole device can be peripheral console 801 or peripheral console 805.Each peripheral console can have similar or different connectioncharacteristics. Peripheral console 803 couples to a local area networkusing Ethernet 817. Peripheral console 805 couples to a DSL line 827through a DSL modem 825. Other consoles can also be included to useother types of networks such as ADSL, Cable Modem, wireless, Token Ring,and the like.

As shown, the attached computer module has elements such as a memoryregion 807, which stores BIOS information, a security code, and asecurity identification number on a flash memory device or the like. Thememory region couples to a central processing region 809, which caninclude CPU, chipset, cache memory, graphics, and a hard disk drive, aswell as other features. The central processing region couples to a hostinterface controller, which interfaces the attached computer module toone of the peripheral consoles. Any of the above information can also beincluded in the attached computer module.

Each peripheral console also has a variety of elements. These elementsinclude a region 813, 821, which has a flash memory device with asecurity identification number, a password, access information, accessprivileges, internet service provider access information, as well asother features, which were previously noted. The peripheral console alsohas an interface controller 815, 823, which couples region 813, 821,respectively to a networking device 817, 825. The networking device canbe an Ethernet card 817, which allows communication to the local areanetwork 819. Alternatively, the networking device can be a DSL modem825, which allows communication to a DSL (or ADSL) phone line. Othertypes of networking device can also be used, depending upon theapplication.

Each console provides a selected connection based upon set of predefinedfactors. These factors include communication hardware information sothat software in attached computer module can read and allow aconnection to a network. Here, access information can be provided to theuser. Information about connection information will also be included.This connection information includes telephone numbers, account numbers,passwords (local), or a company password. The console and modulecombination will take care of charges, etc. based upon time bases.Module will have credit card information, but will have security. In aspecific embodiment, the module inserts into the console. The modulethen asks the console which hardware will be used. If the hardware is anEthernet connect, the module configures connection information to accessthe Ethernet connection. Alternatively, if the hardware requires a DSLconnection, the module configures connection information to access theDSL connection. Other configuration information such as company serverinformation, password, can also be provided.

A personal computer system that comprises two physically separate unitsand the interconnection between them is disclosed. The first unit, anattached computing module (ACM), contains the core computing power andenvironment for a computer user. The second unit, a peripheral console(PCON), contains the power supply and primary input and output devicesfor the computer system. An ACM and a PCON are coupled with one anotherto form a fully functional personal computer system.

FIG. 9 depicts a notebook computer PCON configuration. The opening ofthe computer bay 992 is visible at the side of the PCON unit 900. ThePCON 900 provides an integrated LCD display panel 910 as the user'sprimary display device. The PCON 900 provides an integrated keyboard 922as the user's primary input device.

FIG. 10 is a block diagram of the components in one computer system. Thecomputer system comprises an attached computer module (ACM) 1000, aperipheral console (PCON) 1001, and the interconnection apparatus 1003between them. The ACM 1000 includes the central processing unit (CPU)1010, system memory 1020, high performance devices 1050, primary massstorage 1030, and related interface and support circuitry 1040. The PCON1001 includes primary display 1011, primary input 1021, secondary massstorage 1051, other devices 1061, expansion slots 1071, the primarypower supply 1031, and related interface and support circuitry 1041. Theinterconnection apparatus 1003 includes circuitry to convey power andoperational signals between the ACM 1000 and PCON 1001.

Within the ACM 1000, the CPU 1010 executes instructions and manipulatesdata stored in the system memory 1020. The CPU 1010 and system memory1020 represent the user's core computing power. The core computing powermay also include high performance devices 1050 such as advanced graphicsprocessor chips that greatly increase overall system performance andwhich, because of their speed, need to be located close to the CPU 1010.The primary mass storage 1030 contains persistent copies of theoperating system software, application software, configuration data, anduser data. The software and data stored in the primary mass storagedevice 1030 represent the user's computing environment. Interface andsupport circuitry 1040 primarily includes interface chips and signalbusses that interconnect the CPU 1010, system memory 1020, highperformance devices 1050, and primary mass storage 1030. The interfaceand support circuitry 1040 also connects ACM-resident components withthe ACM-to-PCON interconnection apparatus 1003 as needed.

Within the PCON 1001, the primary display component 1011 may include anintegrated display device or connection circuitry for an externaldisplay device. This primary display device 1011 may be, for example, anLCD, plasma, or CRT display screen used to display text and graphics tothe user for interaction with the operating system and applicationsoftware. The primary display component 1011 is the primary output ofthe computer system, i.e., the paramount vehicle by which programsexecuting on the CPU 1010 can communicate toward the user.

The primary input component 1021 of the PCON 1001 may include anintegrated input device or connection circuitry for attachment to anexternal input device. The primary input 1021 may be, for example, akeyboard, touch screen, keypad, mouse, trackball, digitizing pad, orsome combination thereof to enable the user to interact with theoperating system and application software. The primary input component1021 is the paramount vehicle by which programs executing on the CPU1010 receive signals from the user.

The PCON 1001 may contain secondary mass storage 1051 to provideadditional high capacity storage for data and software. Secondary massstorage 1051 may have fixed or removable media and may include, forexample, devices such as diskette drives, hard disks, CD-ROM drives, DVDdrives, and tape drives.

The PCON 1001 may be enhanced with additional capability through the useof integrated “Other Devices” 1061 or add-on cards inserted into thePCON's expansion slots 1071. Examples of additional capability includesound generators, LAN connections, and modems. Interface and supportcircuitry 1041 primarily includes interface chips, driver chips, andsignal busses that interconnect the other components within the PCON1001. The interface and support circuitry 1041 also connectsPCON-resident components with the ACM-to-PCON interconnection apparatus1003 as needed.

Importantly, the PCON 1001 houses the primary power supply 1031. Theprimary power supply 1031 has sufficient capacity to power both the PCON1001 and the ACM 1000 for normal operation. Note that the ACM 1000 mayinclude a secondary “power supply” in the form, for example, of a smallbattery. Such a power supply would be included in the ACM 1000 tomaintain, for example, a time-of-day clock, configuration settings whenthe ACM 1000 is not attached to a PCON, or machine state when moving anactive ACM immediately from one PCON to another. The total energy storedin such a battery would, however, be insufficient to sustain operationof the CPU 1010 at its rated speed, along with the memory 1020 andprimary mass storage 1030, for more than a fraction of an hour, if thebattery were able to deliver the required level of electrical current atall.

FIG. 11 is a block diagram of an attached computing module (ACM) 1100.The physical ACM package 1100 contains the ACM functional components1101 and the ACM side of the ACM-to-PCON Interconnection 1700. The ACM1101 comprises a CPU component 1110, a system memory component 1120, aprimary mass storage component 1130, a high performance devicescomponents 1150, and an interface and support component 1140.

The ACM side of the ACM-to-PCON Interconnection 1700 comprises a HostInterface Controller (HIC) component 1720 and an ACM connector component1730. The HIC 1720 and connector 1730 components couple the ACMfunctional components 1100 with the signals of an ACM-to-PCON interfacebus 1710 used to operatively connect an ACM with a PCON. The ACM-to-PCONinterface bus 1710 comprises conveyance for electrical power 1714 andsignals for a peripheral bus 1712, video 1716, video port 1717, andconsole type 1718. The preferred ACM-to-PCON Interconnection 1700 isdescribed in detail in a companion U.S. patent application Ser. No.09/149,882, entitled “A Communication Channel and Interface Devices forBridging Computer Interface Buses,” by the same inventor, filed on Sep.8, 1998, and hereby incorporated by reference. The preferred ACM-to-PCONinterconnection 1700 includes circuitry to transmit and receive parallelbus information from multiple signal paths as a serial bit stream on asingle signal path. This reduces the number of physical signal pathsrequired to traverse the interconnection 1700. Further, employinglow-voltage differential signaling (LVDS) on the bit stream data pathsprovides very reliable, high-speed transmission across cables. Thisrepresents a further advantage of the present invention.

Clocking circuitry 1144 generates clock signals for distribution toother components within the ACM 1100 that require a timing andsynchronization clock source. The CPU 1110 is one such component. Often,the total power dissipated by a CPU is directly proportional to thefrequency of its main clock signal. The presently described embodimentof the ACM 1100 includes circuitry that can vary the frequency of themain CPU clock signal conveyed to the CPU 1110 via signal path 1162, inresponse to a signal received from the host interface controller (HIC)1720 via signal path 1161. The generation and variable frequency controlof clocking signals is well understood in the art. By varying thefrequency, the power consumption of the CPU 1110 (and thus the entireACM 1100) can be varied.

The variable clock rate generation may be exploited to match the CPUpower consumption to the available electrical power. Circuitry in thehost interface controller (HIC) 1720 of the presently describedembodiment adjusts the frequency control signal sent via signal path1161 to the clocking circuitry 1144, based on the “console type”information signal 1718 conveyed from the peripheral console (PCON) bythe CPU-to-PCON interconnection 1700.

FIG. 12 is a block diagram of a peripheral console (PCON). A peripheralconsole couples with an ACM to form an operating personal computersystem. The peripheral console (PCON) supplies an ACM with primaryinput, display, and power supply; the ACM supplies the core computingpower and environment of the user. In the presently described embodimentthe physical PCON package 1200 contains the PCON functional components1201 and the PCON side of the ACM-to-PCON Interconnection 1800. The PCONfunctional components 1201 comprise primary display 1210, a primaryinput 1220, a primary power supply 1230, interface and support 1240,secondary mass storage 1250, other devices 1260, and expansion slots1270.

The PCON side of the ACM-to-PCON Interconnection 1800 comprises aPeripheral Interface Controller (PIC) component 1840, a PCON connectorcomponent 1850, console-type component 1842, and flash memory device1848. The PIC 1840 and connector 1850 components couple the PCONfunctional components 1201 with the signals of an ACM-to-PCON interfacebus 1810 used to operatively connect an ACM with a PCON. The ACM-to-PCONinterface bus 1810 comprises conveyance for electrical power 1814 andsignals for a peripheral bus 1812, video 1816, video port 1817, andconsole-type 1818. The preferred ACM-to-PCON Interconnection 1800 isdescribed in detail in the U.S. patent application entitled “ACommunication Channel and Interface Devices for Bridging ComputerInterface Buses,” already incorporated herein by reference.

Connector component 1850 may be selected to mate directly with theconnector component 1730 of an ACM (shown in FIG. 11). Alternatively,connector component 1850 may be selected to mate with, for example, theconnector on one end of a cable intervening between the PCON and an ACMin a particular embodiment. The ACM-to-PCON interconnection described inthe aforementioned companion patent application has the advantage ofproviding reliable signal conveyance across low cost cables.

Flash memory device 1848 provides non-volatile storage. This storage maybe accessible to devices in both the ACM and the PCON, including thehost interface controller and the peripheral interface controller 1840to which it is connected. As such, flash memory 1848 may be used tostore configuration and security data to facilitate an intelligentmating between an ACM and a PCON that needs no participation of the CPU.

The secondary mass storage component 1250 of the PCON functionalcircuitry 1201 of the presently described embodiment comprises diskettedrive 1254, hard disk drive 1252, and CD-ROM drive 1256. Secondary massstorage 1250 generally provides low-cost, non-volatile storage for datafiles which may include software program files. Data files stored onsecondary mass storage 1250 are not part of a computer user's corecomputing power and environment. Secondary mass storage 1250 may be usedto store, for example, seldom used software programs, software programsthat are used only with companion hardware devices installed in the sameperipheral console 1200, or archival copies of data files that aremaintained in primary mass storage 1130 of an ACM (shown in FIG. 11).Storage capacities for secondary mass storage 1250 devices may vary fromthe 1.44 megabytes of the 3.5-inch high density diskette drive 1254, tomore than 10 gigabytes for a large format (5-inch) hard disk drive 1252.Hard disk drive 1252 employs fixed recording media, while diskette drive1254 and CD-ROM drive 1256 employ removable media. Diskette drive 1254and hard disk drive 1252 support both read and write operations (i.e.,data stored on their recording media may be both recalled and modified)while CD-ROM drive 1256 supports only read operations.

Two PCI or PCI-like buses are interfaced using a non-PCI or non-PCI-likechannel. PCI control signals are encoded into control bits, and thecontrol bits, rather than the control signals that they represent, andare transmitted on the interface channel. At the receiving end, thecontrol bits representing control signals are decoded back into PCIcontrol signals prior to being transmitted to the intended PCI bus.

The fact that control bits rather than control signals are transmittedon the interface channel allows using a smaller number of signalchannels and a correspondingly small number of conductive lines in theinterface channel than would otherwise be possible. This is because thecontrol bits can be more easily multiplexed at one end of the interfacechannel and recovered at the other end than control signals. Thisrelatively small number of signal channels used in the interface channelallows using LVDS channels for the interface. As mentioned above, anLVDS channel is more cable friendly, faster, consumes less power, andgenerates less noise than a PCI bus channel. Therefore, an LVDS channelis advantageously used for the hereto unused purpose of interfacing PCIor PCI-like buses. The relatively smaller number of signal channels inthe interface also allows using connectors having smaller pins counts.As mentioned above an interface having a smaller number of signalchannels and, therefore, a smaller number of conductive lines is lessbulky and less expensive than one having a larger number of signalchannels. Similarly, connectors having a smaller number of pins are alsoless expensive and less bulky than connectors having a larger number ofpins.

In one embodiment, the present invention encompasses an apparatus forbridging a first computer interface bus and a second computer interfacebus, in a microprocessor based computer system where each of the firstand second computer interface buses have a number of parallelmultiplexed address/data bus lines and operate at a clock speed in apredetermined clock speed range having a minimum clock speed and amaximum clock speed. The apparatus comprises an interface channel havinga clock channel and a plurality of bit channels for transmitting bits; afirst interface controller coupled to the first computer interface busand to the interface channel to encode first control signals from thefirst computer interface bus into first control bits to be transmittedon the interface channel and to decode second control bits received fromthe interface channel into second control signals to be transmitted tothe first computer interface bus; and a second interface controllercoupled to the interface channel and the second computer interface busto decode the first control bits from the interface channel into thirdcontrol signals to be transmitted on the second computer interface busand to encode fourth control signals from the second computer interfacebus into the second control bits to be transmitted on the interfacechannel.

In one embodiment, the first and second interface controllers comprise ahost interface controller (HIC) and a peripheral interface controller(PIC), respectively, the first and second computer interface busescomprise a primary PCI and a secondary PCI bus, respectively, and theinterface channel comprises an LVDS channel.

In a preferred embodiment, the interface channel has a plurality ofserial bit channels numbering fewer than the number of parallel buslines in each of the PCI buses and operates at a clock speed higher thanthe clock speed at which any of the bus lines operates. Morespecifically, the interface channel includes two sets of unidirectionalserial bit channels which transmit data in opposite directions such thatone set of bit channels transmits serial bits from the HIC to the PICwhile the other set transmits serial bits from the PIC to the HIC. Foreach cycle of the PCI clock, each bit channel of the interface channeltransmits a packet of serial bits.

The HIC and PIC each include a bus controller to interface with thefirst and second computer interface buses, respectively, and to managetransactions that occur therewith. The HIC and PIC also include atranslator coupled to the bus controller to encode control signals fromthe first and second computer interface buses, respectively, intocontrol bits and to decode control bits from the interface channel intocontrol signals. Additionally, the HIC and PIC each include atransmitter and a receiver coupled to the translator. The transmitterconverts parallel bits into serial bits and transmits the serial bits tothe interface channel. The receiver receives serial bits from theinterface channel and converts them into parallel bits.

FIG. 13 is a block diagram of one embodiment of a computer system 1300using the interface of the present invention. Computer system 1300includes an attached computer module (ACM) 1305 and a peripheral console1310, which are described in greater detail in the application ofWilliam W. Y. Chu, Ser. No. 09/149,548, for “Personal ComputerPeripheral Console With Attached Computer Module” filed on Sep. 8, 1998and incorporated herein by reference. The ACM 1305 and the peripheralconsole 1310 are interfaced through an exchange interface system (XIS)bus 1315. The XIS bus 1315 includes power bus 1316, video bus 1317 andperipheral bus (XPBus) 1318, which is also herein referred to as aninterface channel. The power bus 1316 transmits power between ACM 1305and peripheral console 1310. In a preferred embodiment power bus 1316transmits power at voltage levels of 3.3 volts, 5 volts and 12 volts.Video bus 1317 transmits video signals between the ACM 1305 and theperipheral console 1310. In a preferred embodiment, the video bus 1317transmits analog Red Green Blue (RGB) video signals for color monitors,digital video signals (such as Video Electronics Standards Association(VESA) Plug and Display's Transition Minimized Differential Signaling(TMDS) signals for flat panel displays), and television (TV) and/orsuper video (S-video) signals. The XPBus 1318 is coupled to hostinterface controller (HIC) 1319 and to peripheral interface controller(PIC) 1320, which is also sometimes referred to as a bay interfacecontroller.

In the embodiment shown in FIG. 13, HIC 1319 is coupled to an integratedunit 1321 that includes a CPU, a cache and a north bridge. In anotherembodiment, such as that shown in FIG. 17, the CPU 1705 and north bridge1710 are separate rather than integrated units. In yet anotherembodiment, such as that shown in FIG. 18, the HIC and PIC areintegrated with the north and south bridges, respectively, such thatintegrated HIC and north bridge unit 1805 includes an HIC and a northbridge, while integrated PIC and south bridge unit 1810 includes a PICand a south bridge. FIG. 19 shows an attached computer module withintegrated CPU/NB/Graphics 1915 and Integrated HIC/SB 1920. FIG. 20shows an attached computer module with single chip 2025 fullyintegrated: CPU, Cache, Core Logic, Graphics controller and Interfacecontroller.

FIG. 14 is a detailed block diagram of one embodiment of the HIC of thepresent invention. As shown in FIG. 14, HIC 1600 comprises buscontroller 1610, translator 1620, transmitter 1630, receiver 1640, a PLL1650, an address/data multiplexer (A/D MUX) 1660, a read/writecontroller (RD/WR Cntl) 1670, a video serial to parallel converter 1680and a CPU control & general purpose input/output latch/driver (CPU CNTL& GPIO latch/driver) 1690.

HIC 1600 is coupled to an optional flash memory BIOS configuration unit1601. Flash memory unit 1601 stores basic input output system (BIOS) andPCI configuration information and supplies the BIOS and PCIconfiguration information to A/D MUX 1660 and RD/WR Control 1670, whichcontrol the programming, read, and write of flash memory unit 1601.

Bus controller 1610 is coupled to the host PCI bus, which is alsoreferred to herein as the primary PCI bus, and manages PCI bustransactions on the host PCI bus. Bus controller 1610 includes a slave(target) unit 1611 and a master unit 1616. Both slave unit 1611 andmaster unit 1616 each include two first in first out (FIFO) buffers,which are preferably asynchronous with respect to each other since theinput and output of the two FIFOs in the master unit 1616 as well as thetwo FIFOs in the slave unit 1611 are clocked by different clocks, namelythe PCI clock and the PCK. Additionally, slave unit 1611 includesencoder 1622 and decoder 1623, while master unit 1616 includes encoder1627 and decoder 1628. The FIFOs 1612, 1613, 1617 and 1618 manage datatransfers between the host PCI bus and the XPBus, which in theembodiment shown in FIG. 14 operate at 33 MHz and 66 MHz, respectively.PCI address/data (AD) from the host PCI bus is entered into FIFOs 1612and 1617 before they are encoded by encoders 1622 and 1627. Encoders1622 and 1627 format the PCI address/data bits to a form more suitablefor parallel to serial conversion prior to transmittal on the XPBus.Similarly, address and data information from the receivers is decoded bydecoders 1623 and 1628 to a form more suitable for transmission on thehost PCI bus.

The multiplexed parallel A/D bits and some control bits input totransmitter 1630 are serialized by parallel to serial converters 1632 oftransmitter 1630 into 10 bit packets. These bit packets are then outputon data lines PD0 to PD3 of the XPBus. Other control bits are serializedby parallel to serial converter 1633 into 10 bit packets and sent out oncontrol line PCN of the XPBus.

FIG. 15 is a detailed block diagram of one embodiment of the PIC of thepresent invention. PIC 11100 is nearly identical to HIC 1600 in itsfunction, except that HIC 1600 interfaces the host PCI bus to the XPBuswhile PIC 11100 interfaces the secondary PCI bus to the XPBus.Similarly, the components in PIC 11100 serve the same function as theircorresponding components in HIC 1600. Reference numbers for componentsin PIC 11100 have been selected such that a component in PIC 11100 andits corresponding component in HIC 1600 have reference numbers havingthe same two least significant digits. Thus for example, the buscontroller in PIC 11100 is referenced as bus controller 11110 while thebus controller in HIC 1600 is referenced as bus controller 1610. As manyof the elements in PIC 11100 serve the same functions as those served bytheir corresponding elements in HIC 1600 and as the functions of thecorresponding elements in HIC 1600 have been described in detail above,the function of elements of PIC 11100 having corresponding elements inHIC 1600 will not be further described herein. Reference may be made tothe above description of FIG. 14 for an understanding of the functionsof the elements of PIC 11100 having corresponding elements in HIC 1600.

FIG. 16 is a schematic diagram of lines PCK, PD0 to PD3, and PCN. Theselines are unidirectional LVDS lines for transmitting clock signals andbits from the HIC to the PIC. The bits on the PD0 to PD3 and the PCNlines are sent synchronously within every clock cycle of the PCK.Another set of lines, namely PCKR, PDR0 to PDR3, and PCNR, are used totransmit clock signals and bits from the PIC to HIC. The lines used fortransmitting information from the PIC to the HIC have the same structureas those shown in FIG. 16, except that they transmit data in a directionopposite to that in which the lines shown in FIG. 16 transmit data. Inother words they transmit information from the PIC to the HIC. The bitson the PDR0 to PDR3 and the PCNR lines are sent synchronously withinevery clock cycle of the PCKR. Some of the examples of controlinformation that may be sent in the reverse direction, i.e., on PCNRline, include a request to switch data bus direction because of apending operation (such as read data available), a control signal changein the target requiring communication in the reverse direction, targetbusy, and transmission error detected.

The XPBus which includes lines PCK, PD0 to PD3, PCN, PCKR, PDR0 to PDR3,and PCNR, has two sets of unidirectional lines transmitting clocksignals and bits in opposite directions. The first set of unidirectionallines includes PCK, PD0 to PD3, and PCN. The second set ofunidirectional lines includes PCKR, PDR0 to PDR3, and PCNR. Each ofthese unidirectional set of lines is a point-to-point bus with a fixedtransmitter and receiver, or in other words a fixed master and slavebus. For the first set of unidirectional lines, the HIC is a fixedtransmitter/master whereas the PIC is a fixed receiver/slave. For thesecond set of unidirectional lines, the PIC is a fixedtransmitter/master whereas the HIC is a fixed receiver/slave. The LVDSlines of XPBus, a cable friendly and remote system I/O bus, transmitfixed length data packets within a clock cycle.

The XPBus lines, PD0 to PD3, PCN, PDR0 to PDR3 and PCNR, and the videodata and clock lines, VPD and VPCK, are not limited to being LVDS lines,as they may be other forms of bit based lines. For example, in anotherembodiment, the XPBus lines may be IEEE 1394 lines.

It is to be noted that although each of the lines PCK, PD0 to PD3, PCN,PCKR, PDR0 to PDR3, PCNR, VPCK, and VPD is referred to as a line, in thesingular rather than plural, each such line may contain more than onephysical line. For example, in the embodiment shown in FIG. 16, each oflines PCK, PD0 to PD3 and PCN includes two physical lines between eachdriver and its corresponding receiver. The term line, when not directlypreceded by the terms physical or conductive, is herein usedinterchangeably with a signal or bit channel of one or more physicallines for transmitting a signal. In the case of non-differential signallines, generally only one physical line is used to transmit one signal.However, in the case of differential signal lines, a pair of physicallines is used to transmit one signal. For example, a pair of physicallines together transmit a signal in a bit line or bit channel in an LVDSor IEEE 1394 interface.

A bit based line (i.e., a bit line) is a line for transmitting serialbits. Bit based lines typically transmit bit packets and use a serialdata packet protocol. Examples of bit lines include an LVDS line, anIEEE 1394 line, and a Universal Serial Bus (USB) line.

FIGS. 21 and 22 are tables including the pin number, symbol, signal,standard and description for the pins on the peripheral and videoconnectors, respectively. FIG. 23 is a table showing the symbols,signals, data rate and description of signals on the XPBus, where RTNindicates a ground (GND) reference. In the above tables, P&D stands forplug and display and is a trademark of the Video Electronics StandardsAssociation (VESA) for the Plug and Display standard, DDC2:SCL andDDC2:SDA stand for the VESA display data channel (DDC) standard 2 clockand data signals, respectively, SV stands for super video, V33 is 3.3volts, and V5 is 5.0 volts. TMDS stands for Transition MinimizedDifferential Signaling and is a trademark of Silicon Images and refersto their Panel Link technology, which is in turn a trademark for theirLVDS technology. TMDS is used herein to refer to the Panel Linktechnology or technologies compatible therewith.

The reserved data packet types can be used to support non-PCI bustransactions, e.g., USB transactions. The bits sent in the first nibbleof each data packet indicate the type of the data packet. FIG. 24 is atable showing different types of first nibbles and their correspondingdata pacekt types.

Although the functionality above has been generally described in termsof a specific sequence of steps, other steps can also be used. Here, thesteps can be implemented in a combination of hardware, firmware, andsoftware. Either of these can be further combined or even separated.Depending upon the embodiment, the functionality can be implemented in anumber of different ways without departing from the spirit and scope ofthe claims herein. One of ordinary skill in the art would recognizeother variations, modifications, and alternatives.

While the above is a full description of the specific embodiments,various modifications, alternative constructions and equivalents may beused. Therefore, the above description and illustrations should not betaken as limiting the scope of the present invention which is defined bythe appended claims.

What is claimed is:
 1. A security protection method for a computermodule, said method comprising: inserting the computer module into aconsole; initiating a security program in said module to read a securityidentification of said console and to read a security identification ofsaid computer module; determining of a predetermined security statusbased upon a relationship of said console identification and saidcomputer module identification; selecting said predetermined securitystatus; and operating said computer module based upon said securitystatus.
 2. The method of claim 1 wherein said predetermined securitystatus disables a network access to the computer module.
 3. The methodof claim 1 wherein said predetermined security status disables asecondary storage of information from said computer module tosubstantially prevent information to be transferred from a memory of thecomputer module to said secondary storage.
 4. The method of claim 1wherein said security program is provided in a system BIOS.
 5. Themethod of claim 1 wherein said step of initiating reads said securityidentification of said computer module from a flash memory device. 6.The method of claim 1 wherein said step of initiating reads saidsecurity identification of said console from a flash memory device. 7.The method of claim 1 wherein said console is selected from a desktophome computing device, an office desktop computing device, a mobilecomputing device, a television sot-top computing device, and aco-worker's computing device.
 8. A system for secured informationtransactions, the system comprising: a console comprising a peripheralcontroller housed in the console; a user identification input devicecoupled to the peripheral controller, the user identification inputdevice being provided for user identification data; and an attachedcomputer module coupled to the console, the attached computer modulecomprising a security memory device stored with the user identificationdata.
 9. The system of claim 8 wherein the user identification inputdevice is a finger print reader.
 10. The system of claim 8 wherein theuser identification input device is a voice processing device.
 11. Amethod for operating a module computer into one of a plurality ofnetwork systems, the method comprising: providing a computer module, themodule comprising a connection program; inserting the computer moduleinto a computer console, the computer console having access to anetwork; receiving connection information from the computer console;configuring the connection program to adapt to the connectioninformation; and establish a connection between the computer module anda server coupled to the network.
 12. The method of claim 11 wherein theconnection information comprises a connection protocol for providing theconnection.
 13. The method of claim 12 wherein the connection protocolis selected from TCP/IP, or mobile IP.
 14. A computer for informationtransactions, comprising: a central processing unit directly connectedto a first Low Voltage Differential Signal (LVDS) channel comprising twosets of unidirectional, serial bit channels to transmit data in oppositedirections; a main memory directly connected to the central processingunit; and a peripheral bridge directly coupled to the central processingunit without any intervening Peripheral Component Interconnect (“PCI”)bus, wherein the peripheral bridge directly conveys an encoded serialbit stream of address and data bits of a PCI bus transaction over asecond LVDS channel comprising two sets of unidirectional, serial bitchannels to transmit data in opposite directions.
 15. The computer ofclaim 14, further comprising a connector coupled to a console, whereinthe second LVDS channel communicates the encoded serial bit stream ofaddress and data bits of the PCI bus transaction to the console.
 16. Thecomputer of claim 15 further comprising a graphics controller thatconveys digital video display information from the connector to theconsole.
 17. The computer of claim 15 wherein the console comprises amass storage device that couples to the second LVDS channel.
 18. Acomputer system, comprising: a console comprising a Liquid CrystalDisplay (LCD) display and a first Low Voltage Differential Signal (LVDS)channel comprising two sets of unidirectional, serial bit channels totransmit data in opposite directions; and a computer coupled to theconsole through a connector, the computer comprising an integratedcentral processing unit and graphics controller in a single chipdirectly connected to a second LVDS channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections; and a mass storage unit coupled to the central processingunit and graphics controller in a single chip; wherein the graphicscontroller conveys digital video display information to the LCD displaythrough the connector upon coupling to the console.
 19. The computersystem of claim 18 wherein the computer further comprises a peripheralbridge directly coupled to the central processing unit without anyintervening Peripheral Component Interconnect (“PCI”) bus, theperipheral bridge directly conveying an encoded serial bit stream ofaddress and data bits of a PCI bus transaction.
 20. The computer systemof claim 19 wherein the peripheral bridge conveys the encoded serial bitstream of address and data bits of the PCI bus transaction to the firstLVDS channel upon coupling of the computer to the console.
 21. Acomputer, comprising: a central processing unit directly connected to afirst Low Voltage Differential Signal (LVDS) channel comprising two setsof unidirectional, serial bit channels to transmit Universal Serial Bus(USB) Protocol data in opposite directions; a second LVDS channelcomprising two sets of unidirectional, serial bit channels to transmitdata in opposite directions; a connector coupled to the first LVDSchannel; and a main memory directly coupled to the central processingunit.
 22. The computer of claim 21 wherein the second LVDS channelcommunicates an encoded serial bit stream of address and data bits of aPeripheral Component Interconnect (“PCI”) bus transaction.
 23. Thecomputer of claim 21 wherein the first LVDS channel conveys UniversalSerial Bus (USB) Protocol data to a console through the connector.
 24. Acomputer, comprising: an integrated central processing unit and graphicscontroller in a single chip directly connected to a Low VoltageDifferential Signal (LVDS) channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections; a main memory directly coupled to the integrated centralprocessing unit and graphics controller; a differential signal channeldirectly extending from the integrated central processing unit andgraphics controller to convey digital video display information; aconnector for coupling to a console; and a second differential signalchannel comprising two sets of unidirectional, serial bit channels totransmit data in opposite directions, wherein the second differentialsignal channel conveys Universal Serial Bus (USB) protocol data throughthe connector to the console.
 25. The computer of claim 24 wherein theLVDS channel conveys an encoded serial bit stream of address and databits of a Peripheral Component Interconnect (“PCI”) bus transaction. 26.A modular computer system, comprising: a console comprising a first LowVoltage Differential Signal (LVDS) channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections; and a computer coupled to the console through a connector,the computer comprising a central processing unit, a mass storage unitcoupled to the central processing unit, a second LVDS channel comprisingtwo sets of unidirectional, serial bit channels to transmit data inopposite directions, and a peripheral bridge directly coupled to thecentral processing unit without any intervening Peripheral ComponentInterconnect bus, wherein the peripheral bridge directly conveys anencoded serial bit stream of address and data bits of a PeripheralComponent Interconnect (“PCI”) bus transaction over the second LVDSchannel; and wherein the second LVDS channel communicates to the firstLVDS channel in the console upon the computer coupling to the console.27. The modular computer system of claim 26 wherein the second LVDSchannel conveys the encoded serial bit stream of the PCI bus transactionto the first LVDS channel upon coupling of the computer module to theconsole.
 28. The modular computer system of claim 27 wherein the consolefurther comprises a mass storage device that couples to the first andsecond LVDS channels.
 29. A modular computer system, comprising: aconsole comprising a power supply; and a computer coupled to the consolethrough a connector, the computer comprising a central processing unit,a first Low Voltage Differential Signal (LVDS) channel comprising twosets of unidirectional, multiple serial bit channels to transmit data inopposite directions, a peripheral bridge directly coupled to the firstLVDS channel to communicate an encoded serial bit stream of address anddata bits of a Peripheral Component Interconnect (“PCI”) bustransaction, the peripheral bridge directly coupled to the centralprocessing unit without any intervening PCI bus, and wherein the powersupply supplies power to the computer upon coupling to the console. 30.The computer system of claim 29 further comprising a second LVDS channelthat conveys the encoded serial bit stream of address and data bits ofthe PCI bus transaction, wherein the second LVDS channel directlyextends from the central processing unit.
 31. A modular computer system,comprising: a console comprising a first Low Voltage Differential Signal(LVDS) channel comprising two sets of unidirectional, serial bitchannels to transmit data in opposite directions; and a computer thatcouples to the console, the computer comprising an integrated centralprocessing unit and graphics controller in a single chip, directlyconnected to a second LVDS channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections, and a connector that couples to the first LVDS channel inthe console.
 32. The modular computer system of claim 31 wherein thesecond LVDS channel conveys an encoded serial bit stream of address anddata bits of a Peripheral Component Interconnect (“PCI”) bustransaction.
 33. The modular computer system of claim 31 wherein thefirst LVDS channel conveys an encoded serial bit stream of address anddata bits of a Peripheral Component Interconnect (“PCI”) bustransaction.
 34. The modular computer system of claim 31 wherein thecomputer conveys Universal Serial Bus (USB) protocol data to the consoleupon the computer coupling to the console.
 35. A computer, comprising: acentral processing unit; a main memory directly connected to the centralprocessing unit; a peripheral bridge directly coupled to the centralprocessing unit without any intervening Peripheral ComponentInterconnect (PCI) bus, wherein the peripheral bridge directly conveysan encoded serial bit stream of address and data bits of a PeripheralComponent Interconnect (PCI) bus transaction over a first Low VoltageDifferential Signal (LVDS) channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections; and a mass storage device directly coupled the peripheralbridge.
 36. The computer of claim 35 further comprising a graphicscontroller coupled to the peripheral bridge.
 37. A computer, comprising:a central processing unit directly connected to a first Low VoltageDifferential Signal (LVDS) channel to convey a first encoded serial bitstream of address and data bits of a Peripheral Component Interconnect(PCI) bus transaction; a main memory directly connected to the centralprocessing unit; and a peripheral bridge directly coupled to the centralprocessing unit without any intervening PCI bus, wherein the peripheralbridge directly conveys a second encoded serial bit stream of addressand data bits of a (PCI) bus transaction over a second LVDS channelcomprising two sets of unidirectional, serial bit channels to transmitdata in opposite directions.
 38. The computer of claim 37 furthercomprising a connector coupled to a console, wherein the second LVDSchannel communicates the second encoded serial bit stream of address anddata bits of the PCI bus transaction to the console.
 39. The computer ofclaim 38 further comprising a graphics controller to convey digitalvideo display information from the connector to the console.
 40. Thecomputer of claim 38 wherein the console comprises a peripheral devicethat couples to the second LVDS channel.
 41. A computer, comprising: anintegrated central processing unit and graphics controller in a singlechip directly connected to a first Low Voltage Differential Signal(LVDS) channel comprising two sets of unidirectional, serial bitchannels to transmit data in opposite directions, wherein the integratedcentral processing unit and graphics controller conveys digital videodisplay signals through a second differential signal channel; a mainmemory directly coupled to the integrated central processing unit andgraphics controller; and a mass storage device comprising flash memory.42. The computer of claim 41 wherein the second differential signalchannel conveys Transition Minimized Differential Signaling (TDMS)information.
 43. The computer of claim 41 wherein the first LVDS channelconveys an encoded serial bit stream of address and data bits of aPeripheral Component Interconnect (PCI) bus transaction.
 44. A computer,comprising: an integrated central processing unit and graphicscontroller in a single chip directly connected to a first Low VoltageDifferential Signal (LVDS) channel comprising two sets ofunidirectional, serial bit channels to transmit data in oppositedirections; a main memory directly coupled to the integrated centralprocessing unit and graphics controller; a mass storage devicecomprising flash memory; a connector that conveys Universal Serial Bus(USB) protocol information to a console; and a second LVDS channelcomprising two sets of unidirectional, serial bit channels to transmitdata in opposite directions, wherein the second LVDS channel conveyssaid USB protocol information to the console through the connector. 45.A computer, comprising: a Central Processing Unit (CPU) directlyconnected to a Low Voltage Differential Signal (LVDS) channel comprisingtwo sets of multiple, unidirectional, serial bit channels to convey anencoded serial bit stream of encoded address and data bits of aPeripheral Component Interconnect (“PCI”) bus transaction in oppositedirections; a main memory directly connected to the CPU; and a massstorage device coupled to the CPU.
 46. The computer of claim 45 furthercomprising a connector, wherein the connector connects to a consolecomprising a power supply, and the power supply supplies power to thecomputer upon coupling to the console.
 47. The computer of claim 45wherein the mass storage device comprises flash memory.
 48. A computer,comprising: an integrated central processing unit and graphicscontroller in a single chip directly connected to a first Low VoltageDifferential Signal (LVDS) channel comprising two sets of multiple,unidirectional, serial bit channels to convey an encoded serial bitstream of encoded address and data bits of a Peripheral ComponentInterconnect (PCI) bus transaction in opposite directions; a main memorydirectly coupled to the integrated central processing unit and graphicscontroller; and an Ethernet communication device coupled to the firstLVDS channel.
 49. The computer of claim 48 further comprising aconnector, wherein the connector connects to a console comprising apower supply, and the power supply supplies power to the computer uponcoupling to the console.